Automate Intune App Deployment using Microsoft Graph API and PowerShell

In this guide, you’ll learn how to automate Intune App Deployment using Microsoft Graph API and PowerShell. The present discourse aims to elucidate the process of creating the Intune App Deployment via Graph API and PowerShell.

Intune leverages Microsoft Entra groups to facilitate the management of users and devices. As an Intune administrator, you can create customized groups to meet your organizational requirements. These groups are useful for categorizing users or devices based on their geographic location, department, or hardware specifications, thereby allowing for efficient task management at scale.

For example, you can implement configuration policies and profiles for a group of users or distribute applications to a particular set of devices. Just like in the SCCM collection, the users or devices must be included in the Microsoft Entra groups to receive the policies and applications.

I use the Microsoft Graph API to automate Intune app deployment in this article. By the end of this article, you can deploy any application created in Intune to security groups using the codes.

Types of App Assignments in Microsoft Intune

It’s important to note that you can deploy an app to a device whether it is managed by Intune or not. Before automating the app deployment in Intune, you should know the types of App Assignments in Microsoft Intune. Let’s explore each assignment type in detail before we start the automation.

When you choose the Required Assignment type, the app will be installed on devices in the selected groups. Required apps are installed automatically on enrolled devices. Some platforms may have additional prompts for the end user to acknowledge before app installation begins.

If you want to uninstall any app, you should choose Uninstall type in the assignment tab. Apps with this assignment are uninstalled from managed devices in the selected groups if Intune has previously installed the application onto the device via an “Available for enrolled devices” or “Required” assignment on the same deployment.

• How to Exclude Devices or Users from Intune App Assignments
• Filter Intune App Policy Assignments based on Domain Join Type

The Available for Enrolled Devices type will assign the app to groups of users who can install it from the Company Portal app or website. You can assign the app to groups of users whose devices aren’t enrolled with Intune using Available with or without enrollment type

Video – Intune App Deployment Automation using Microsoft Graph API

I have recently covered the Intune App Deployment Automation using Microsoft Graph API and Powershell in the attached video.

Get the App ID of the Store App using Graph API.

Recently, I wrote an article detailing how to use the Microsoft Graph API to add Store Apps to Intune. In this next step, we will assign the app to an Entra group using the same API.

Read More: Add Microsoft Store Apps to Intune using Microsoft Graph API

Microsoft Whiteboard was the Store App that I created for testing. You may choose any App that you would like to deploy. However, you must have the app ID handy to assign an app using Graph API. Let’s learn how to get the app ID of the Store App using Microsoft Graph API.

• Best Guide to Restart Intune Devices Remotely using Microsoft Graph API and PowerShell
• Best Guide to Run Intune Device Query with Microsoft Graph API
• Automate Microsoft Intune Device Compliance Report using Graph API

I will use Graph Explorer, a handy browser-based tool for running your Graph calls. However, it does not support commands in batch and is a single-line command executor. API calls will be made by utilizing the Graph Explorer.

NOTE! You may need to log in to Graph Explorer using your credentials if it's your first time. 

It’s important to note that you must have two permissions that would let you access the below endpoints, which are DeviceManagementApps.Read.All and DeviceManagementApps.ReadWrite.All. You may receive a forbidden error if your query lacks the necessary permissions to run.

Permission	Description
DeviceManagementApps.Read.All	Allows the app to read the properties, group assignments and status of apps, app configurations and app protection policies managed by Microsoft Intune.
DeviceManagementApps.ReadWrite.All	This allows the app to read and write the properties, group assignments and status of apps, app configurations and app protection policies managed by Microsoft Intune.

The endpoint below can be used to get Microsoft Whiteboard’s app ID. Since you are retrieving data from APIs, you should use the GET request method for the endpoint.

https://graph.microsoft.com/beta/deviceAppManagement/mobileApps?$filter=displayName eq 'Microsoft Whiteboard'&$select=id,displayName,description

Replace the Graph URL with the above endpoint and click on Run query. Within seconds of clicking Run query, you will receive a success message with the text OK- 200.

You can view the output in Response Preview. Note the ID for further use. You can add more properties to the endpoint to obtain additional details about the app.

Get the Security Group ID using Graph API

As discussed above, we will assign the app to a security group in Intune. Hence, you need the Security Group’s groupid to deploy the Store App using Graph API. Let’s learn how to get Security Group’s groupid.

• Sign in back to Graph Explorer with your admin account.
• Replace the Graph URL with the following endpoint.

https://graph.microsoft.com/v1.0/groups?$filter=displayName eq 'HTMD - Test Computers'&$select=id,displayName

Within seconds of clicking Run query, you will receive a success message with the text OK- 200. Make a note of the groupid for further use.

• Install New Outlook for Windows with Microsoft Store App from Intune
• Best Guide to Install Windows App from New Microsoft Store in Intune
• Microsoft Store for Business Apps will be Deleted Soon

Automate Intune App Deployment using Graph – API Assign the Microsoft Store App

Using two scenarios, I plan to evaluate the Required Assignment type in this example. The first option is to make the assignment type Required and install it as soon as possible. The second option is also to make the assignment type Required but set a deadline for the installation. I will specify the date and time of the deadline in the code.

We have collected all the prerequisites to assign the Microsoft Store App using Graph API. Keep the Security Group’s groupid and Store App’s app ID handy. Let’s create a deployment now..!

• Sign in back to Graph Explorer with your admin account.
• Replace the Graph URL with the following endpoint.

https://graph.microsoft.com/beta/deviceAppManagement/mobileApps/{app-id}/assignments

You should use the POST request method for the endpoint since you are Sending Data to APIs. Change the request method from GET to POST and paste the below JSON code to the request body.

{
    "target": {
        "@odata.type": "#microsoft.graph.groupAssignmentTarget",
        "groupId": "48bd6547-dc18-498e-8143-11c49a818836"
    },
    "intent": "required",
    "settings": {
        "@odata.type": "#microsoft.graph.winGetAppAssignmentSettings",
        "installTimeSettings": {
            "deadlineDateTime": "2024-05-11T23:59:59Z"
        }
    }
}

Replace Your app-id with the app’s ID from the Windows Package Manager (winget) repository, replace your groupId with the ID of the Azure AD group you’re targeting. The above JSON code will assign the App to the targeted group and set the deadline.

Please remember the deadlineDateTime property is in ISO 8601 time format. I have developed the below PowerShell code to convert the date and time to ISO 8601 format. Replace $inputDateTime with your choice.

# Define the input date and time string 

   $inputDateTime= "2024/04/23 12:00 PM"# Parse the input date and time string into a DateTime object

  $dateTime= [DateTime]::ParseExact($inputDateTime, "yyyy/MM/dd hh:mm tt", $null)

# Convert the DateTime object to the desired format

   $outputDateTime= Get-Date $dateTime -Format "yyyy-MM-ddTHH:mm:ssZ" 

# Output the result$outputDateTime

Verify the JSON inputs and click Run query to assign the Microsoft Store App using Graph API. Please note that you must have DeviceManagementApps.ReadWrite.All permission to execute the query.

Within seconds of clicking Run query, you will receive a success message with the text created – 201. The output response can be checked in the Response Preview panel.

Let’s sign in to the Microsoft Intune Admin portal and verify the application assignment. Select the application that you deployed to check the assignment status from properties.

To trigger the installation of an app as soon as possible without specifying a deadline, you can omit the installTimeSettings property from the assignment settings in your Graph API request. This will instruct Intune to start the app installation immediately after the policy is received by the target devices.

The JSON code below will assign the App to the targeted group and trigger the installation immediately.

{
    "target": {
        "@odata.type": "#microsoft.graph.groupAssignmentTarget",
        "groupId": "48bd6547-dc18-498e-8143-11c49a818836"
    },
    "intent": "required",
    "settings": {
        "@odata.type": "#microsoft.graph.winGetAppAssignmentSettings",
      
    }
}

As in the first scenario, click Run query, and you will receive a success message with the text created-201. The output response can be checked in the Response Preview panel.

Sign in back to the Microsoft Intune Admin portal and verify the application assignment. This time the installation deadline will be set as as soon as possible without specifying a deadline.

Automate Intune App Deployment using Microsoft Graph via PowerShell – Assign the Microsoft Store App

What if you prefer to completely automate the assignment of the Microsoft Store App with the PowerShell codes to accomplish all the abovementioned tasks? Let’s learn how to Assign the Microsoft Store App using Microsoft Graph via PowerShell.

NOTE! Use the Connect-MgGraph command to sign in with the required scopes. You'll need to sign in with an admin account to consent to the required scopes.

I have written a PowerShell script to create a Store app deployment using Microsoft Graph. You must have enough permission to execute the script below.

##########################################################################

#IntuneAppdeployment_GraphAPI.ps1
#Scope : This script will create a new Store App deployment in Intune
#Author : Sujin Nelladath
#LinkedIn : https://www.linkedin.com/in/sujin-nelladath-8911968a/

############################################################################


#Connect to MgGraph

Connect-MgGraph -Scopes DeviceManagementApps.ReadWrite.All

#Graph URL to get APP id and Group ID. Replace the group and app name
$AppIDURL = 'https://graph.microsoft.com/beta/deviceAppManagement/mobileApps?$filter=displayName eq ''Microsoft Whiteboard'' and (isof(''microsoft.graph.winGetApp''))&$select=id'
$GroupIDURL = 'https://graph.microsoft.com/v1.0/groups?$filter=displayName eq ''HTMD - Test Computers''&$select=id' 

#Get App ID

$invokeAppID = Invoke-MgGraphRequest -Uri $AppIDURL  -Method GET 

$JSONAppID = $invokeAppID  | ConvertTo-Json
$JS = $JSONAppID | ConvertFrom-Json
$AppID = $JS.value.id

#Get Group ID

$invokeGroupID = Invoke-MgGraphRequest -Uri $GroupIDURL  -Method GET 

$JSONGrpID = $invokeGroupID  | ConvertTo-Json
$JSgrp = $JSONGrpID | ConvertFrom-Json
$GrpID = $JSgrp.value.id



   
#Request body 

$body = @"
{
    `"target`": {
        `"@odata.type`": `"#microsoft.graph.groupAssignmentTarget`",
        `"groupId`": `"$GrpID`"
    },
    `"intent`": `"required`",
    `"settings`": {
        `"@odata.type`": `"#microsoft.graph.winGetAppAssignmentSettings`",
        `"installTimeSettings`": {
            `"deadlineDateTime`": `"2024-05-11T23:59:59Z`"
        }
    }
}
"@
 
#Create ApplicaionAssignment

$CreateAPP = "https://graph.microsoft.com/beta/deviceAppManagement/mobileApps/$AppID/assignments"

$invokeAppCreate =  Invoke-MgGraphRequest -Uri $CreateAPP -Method POST -Body $body 

• Time to use Microsoft Graph Device Management PS Module Instead of MS Graph Intune Module.
• Best Guide to Install Microsoft Graph PowerShell Modules

This article will be a valuable resource for you and your organization in streamlining the Automating Intune App Deployment process using Microsoft Graph API and PowerShell. I appreciate your patience in reading this post. I look forward to seeing you in the next post. Keep supporting the HTMD Community.

We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.

Author

About the Author – Sujin Nelladath has over 10 years of experience in SCCM device management and Automation solutions. He writes and shares his experiences with Microsoft device management technologies, Azure, and PowerShell automation.